Swedish data protection authority imposes first fine under GDPR for using facial recognition software
The Swedish data protection authority (Datainspektionen, DPA) imposed for the first time a fine for a breach of the EU General Data Protection Regulation (GDPR). The fine has been imposed on a school in Skellefteå, which carried out attendance checks on pupils in a pilot class over a three-week period using facial recognition software.
In this case, the DPA considered the consent of the pupils’ parents as involuntary because of the dependent relationship with the school. In addition, according to the DPA, the school had failed to carry out a prior data protection impact assessment, although such an assessment would have been necessary in casu. The school in northern Sweden has been fined with SEK 200’000 (CHF 21’000) for these violations of the GDPR.